This article explains how to create a Read-Only Administrator account in Office 365 for use with GSX for Office 365 Reports. This is for use with our Manual signup process and it is important that you complete all the steps. It is recommended that you use the PowerShell method, as this contains less steps, however at the bottom of this article you can also find some steps on how to do this via the Admin Portal.
Your organization will not be charged by Microsoft for this account as it does not require an Office 365 licence. More information about the rights and permissions this account requires can be found in our How It Works section.
Connecting to Office 365 using PowerShell
Before we begin, you need to install the "Microsoft Online Service Module" onto your machine. The "Set up your computer to use Powershell" section of our Connecting to Office 365 using PowerShell blog shows you how to do this.
Now open up Windows PowerShell and Copy & Paste in the following commands to connect to Office 365.
Please enter the username and password of an Office 365 Administrator account when prompted.
$Office365credentials = Get-Credential Import-Module MSOnline Connect-MsolService -Credential $Office365credentials $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://ps.outlook.com/powershell/" -Credential $Office365credentials -Authentication Basic -AllowRedirection Import-PSSession $Session
Creating the Service Account
Now that you are connected to Office 365 in PowerShell, we can create the Service account.
Modify the line below and set the company.onmicrosoft.com part to match your own Office 365 .onmicrosoft.com domain and replace the password with a secure password of your own. We recommend a password of 10 characters or more that includes a mixture of capital and lower case letters, numbers and special characters.
New-MSolUser -DisplayName "Service Account for GSX 365 Usage Reporting" -UserPrincipalName "GSX365Usage@company.onmicrosoft.com" -Password "Password123" -PasswordNeverExpires $true -ForceChangePassword $false
Next we need to add our new account to the 'View-Only Organization Management' group and the 'Service Support Administrator' group. You can do this by copying and pasting the following 2 lines into the PowerShell window.
Remember to set the company.onmicrosoft.com part to match your Office 365 domain name
Add-RoleGroupMember -identity "View-Only Organization Management" -member GSX365Usage@company.onmicrosoft.com Add-MSOLRoleMember –RoleName "Service Support Administrator" –RoleMemberEmailAddress GSX365Usage@company.onmicrosoft.com
Please note that you will not receive any confirmation if the commands are successful.
Creating the Service Account via the Admin Portal
You can also create the service account via the Admin Portal, however you would still need to run a final PowerShell cmdlet to ensure that the password does not expire.
– On the Admin home page, go to Users –> Add a User
– Enter a Display Name ("Service Account for GSX 365 UsageReports")
– Enter a User Name ("GSX365Usage")
– Ensure that the domain is the company.onmicrosoft.com one
– Select "Let me create a password" and enter a strong one
– Ensure "Make this user change their password when they first log in" is NOT ticked
– In the roles section, select "Customized administrator" and then "Service administrator"
– Do NOT assign a product license – leave everything as default and click the "Add" button
Once the user is created, navigate to the Exchange Admin Portal (Admin Centers –> Exchange in the left navigation menu):
– Navigate to Permissions –> Admin Roles
– Select the "View-Only Organization Management" role and then click the "Edit" button at the top of the list (the pencil icon)
– In the newly popped up window, scroll down to Members and add the newly created service account as a member
Finally, in PowerShell, run the below cmdlet so that the password does not expire:
Set-MsolUser -UserPrincipalName GSX365Usage@company.onmicrosoft.com -PasswordNeverExpires $true
If you have any problems with the account creation or wish to speak to us you can log a ticket by emailing your question to firstname.lastname@example.org
The service account has now been created and you can complete the manual signup process.